AU-5: Response to Audit Logging Process Failures
Control Family:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- AU-5: Response To Audit Processing Failures
Control Statement
- Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and
- Take the following additional actions: [Assignment: organization-defined additional actions].
Supplemental Guidance
Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.
Control Enhancements
AU-5(1): Storage Capacity Warning
Baseline(s):
- High
Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity.
AU-5(2): Real-time Alerts
Baseline(s):
- High
Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts].
AU-5(3): Configurable Traffic Volume Thresholds
Baseline(s):
Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Assignment: reject, delay] network traffic above those thresholds.
AU-5(4): Shutdown on Failure
Baseline(s):
Invoke a [Assignment: full system shutdown, partial system shutdown, degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists.
AU-5(5): Alternate Audit Logging Capability
Baseline(s):
Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality].